Do you employ a risk and control inventory?
No matter where you get your business news, it seems like a day never goes by without a story about a large reputable organization in hot water for a failure of management to recognize and manage a risk.
However, the news is also full of favorable press for executives and businesses navigating tricky waters and thriving despite risks.
In order to understand risk, let’s start with the dictionary definition. Risk is the “possibility of suffering harm or loss; danger”; i.e., loss of financial wealth, emotional well-being, social status, and/or physical health, etc. We take risks in order to gain a reward resulting from a given action or inaction, foreseen or unforeseen. The biggest problem with risk is that too many businesses fail to thoroughly understand and manage it, but in order to manage risk, you need to be able to measure and understand your organization’s tolerance for risk.
Then, how do we measure risk and how do we minimize risk? How do we weigh our options as we assess risks? What is our risk appetite?
How to Make an Educated, Real Time Decision About Risk
Executives must make decisions every day, often under tremendous pressure to deliver an answer in a split second. How do you know that you are making the right decisions?
The key to making educated risk decisions in the spur of the moment is to develop a thorough understanding of the risks that your business faces and its tolerance for risk ahead of time. Armed with this knowledge, you can proactively manage existing risks and identify and respond to new risks as they arise.
Being risk-focused means having your ducks in a row. Some items to consider:
- Understand the risks within your industry, i.e. operational, environmental, regulatory, and technical, etc.
- Have an idea what your competitors are doing regarding risks and their reactions to them.
- Do you have a risk and control inventory?
- What is your organizational risk culture and what risk programs do you presently have in place?
10 Steps for Creating a Risk and Control Inventory
One way to understand the risks that affect your business or department is to create and maintain process flows and narratives that identify relevant risks and their controls. This is a very simple exercise, but many businesses never take the time to do it.
Follow these steps to create a risk and control inventory:
- Challenge your team to stop and think about the processes within their specific area.
- Identify processes that generate inputs to your workflow. (What must happen before we can start our work?)
- Identify where your process outputs go. (What steps happen once your work is done?)
- Inventory each process within your area that modifies the input you receive in order to create the output you deliver. Document these processes in writing.
- Plot each process from beginning to end. (Sometimes you might have to think about the actual processes by breaking them down to several pieces. You can go as high-level or as detailed as you wish).
- Once you understand each of the process steps, identify the risks associated with For every step, list each of the possible things that could go wrong.
- Then identify the corresponding controls designed to address those risks.
- Number your risks and controls for easy reference. Make sure that each risk has at least one corresponding control. If one doesn’t exist now, the creation of a new control could be one of the first to-dos coming out of the process. (An added dividend of this process is you may identify repetitive or non-value-added steps that can be eliminated to streamline the flow.)
- Create a process flow narrative. It shouldn’t merely repeat the process steps. The narrative should add value to the process by identifying associated risks and controls at each step.
- Refer to these risks and controls going forward by their assigned reference numbers. Documentation should be clear and precise, including just enough detail that the reader understands the risks in play.
The flow charting process may take several tries. Confer with process owners to determine how detailed you need to make the chart in order to help everyone understand their roles in identifying and controlling risks. Don’t get discouraged if you cannot get the processes down the first time. Once completed, it will help you to see where exactly the risks and controls lie. Once identified, then the next step is how to use this information in order to mitigate these risks.
Connect with a Freed Maxick Risk Management Expert
If you would like to learn more about how to document risks within your organization, contact one of our Freed Maxick risk professionals here, or call us at 716.847.2651 to discuss the risk services that we offer. Our risk professionals currently work with clients from multiple industry sectors.
We will work with you and your organization to complete an assessment that will identify risks, make recommendations for improving your current processes and controls, and advise you on risk management best practices. We look forward to working with you.
More Insights and Guidance on Risk Management Issues - Click here.View full article
How Risk Discovery and Mitigation Can Help Stop Future Headaches
Have you thought about how risks are discovered at your organization? Do employees understand the risks that exist within their work areas and how it impacts the overall organization?
When we’re occupied with day to day functions, we typically don’t see dangers and uncertainties lurking around the corner. These uncertainties are threats often embedded within business processes and environments that are not easily identifiable. Threats can come from sources including, but not limited to: strategic; operational; financial; legal; regulatory and compliance; credit; product/service; and natural cause/disaster risks.
The Value of Risk Assessments
One way of understanding risk is to document processes and conduct a risk assessment.
The goal of a risk assessment is to identify potential threats to the business, down to the unit level, and to understand the root cause of these risks. Then you can start a discussion on what type of risk mitigation efforts are required: acceptance as a cost of doing business, transference (insurance) or mitigation (control environment).
These activities bring you one step closer to establishing an effective Risk Management Program.
What role does one play in this risk arena? Basically, a Risk Management Program is the identification, evaluation, and prioritization of various risks, followed by an analysis and documentation of the proper courses of action.
A Six Step Risk Assessment Plan
One way to assess risk within your immediate business area(s) is by applying the following steps:
- Define your business process by creating process flows with narratives.
- Identify the potential risk areas within the process flow.
- List the controls or the lack of controls (gaps) in place.
- Create a risk ranking scale and map specific risks to your business areas.
- Have risk discussions with management to determine the risk appetite and tolerance.
- Align risks at the Enterprise Risk level. Risks should be aligned from different business areas to higher level risks (enterprise level).
Bringing Uncertainty Into A Manageable Form
Although risk management can take many forms, these initial steps will help you understand existing risks and identify potential risks. It will allow you to have a better pulse on the unknown.
The key to risk management is to bring uncertainty into a more manageable form while not disrupting the organization’s overall business goals and objectives. The better the control over a risk, the less the likelihood of an unexpected loss. A good Risk Management Program will result in meeting the business objectives of your company or organization at reduced costs.
You Need "All Hands-on Deck" for Risk Management
Organizational risks must be understood and managed by all employees. The culture of a well risk-managed business can be reflected by its people, processes, and technology and how each of those assets are deployed and dynamically related to each other. Having the proper strategic efforts within the specific business units, including transparency, and the understanding of how these risks relate to the broader organization will allow risks to be managed at the tolerance level that management is willing to accept.
Connect with a Freed Maxick Risk Management Expert
If you would like to learn more about how to minimize risk within your organization, contact one of our Freed Maxick risk professionals here, or call us at 716.847.2651 to discuss the risk services that we offer. Our risk professionals currently work with clients from multiple industry sectorsWe will work with you and your organization to complete an assessment that will identify risk, make recommendations for improving your current processes, and advise you on risk management best practices. We look forward to working with you.